Time Window Examples (Cache Queries)

Time windows use a stream policy that specifies how long an entity remains in the window.

For information, see Stream Policy.

The expiry time is calculated from a start time. You can use an event or concept's timestamp property to define the start time. Otherwise, the time the event or concept entered the window is used as the default start time.

Note:
Events whose expiry time is exceeded when they arrive in the window
 A query that uses a time window processes events that have already expired when they enter the window. The expired events appear in the window for one cycle and then leave the window in the next cycle.

The following query holds PizzaOrderEvents for 45 minutes after the OrderTime in a time window.

select coldpizza from /PizzaOrderEvent {policy: maintain last 45 minutes using coldpizza.OrderTime; emit: dead} coldpizza;

When the using clause is omitted, the window uses the default timestamp that is associated with the event when it enters the query.

Delaying Output with an Emit Dead Clause

Without an emit: dead clause, the query would produce the event as its output as soon as it arrives. But because of the emit: dead clause, it is delayed for the amount of time specified in the window.

The following query maintains the count on a 2 minute time window over network ping events. Whenever the number of pings in the last two minutes goes above 120, it produces output that can be treated as an attack.

select count(*) from /NetworkPing {policy: maintain last 2 minutes} dosattack group by 1 having count(*) > 120;